Threat Hunting Overview with 7 Common Hunts

Dabble or Deep Dive: 7 Different Threat Hunts You Can Do With Available Resources In this real training for free session, we will discuss the minimum toolset and data requirements (and not necessarily volume) you need for successful threat hunting. We will take into account that while some of you can devote most of your time to threat hunting, most of us have limited time and resources for this activity. The good news is that threat hunting is flexible and anyone can do it, ranging from a few hours a week to full-time. As just one example, a great type of threat hunting is to look for unrecognized/suspicious executables running on you network. You can dip your toe in the water with this type of hunt with a small commitment of time and resources or you can plunge in deep with a major data collection and analysis effort. Starting out simple means you just focus on EXE names; baseline the EXE names being executed on your network, and then perform a daily review of new EXE names showing up for the first time. You can get this information from event ID 4688 and the query capabilities are very light. But I think you’ll be surprised what you are able to learn and catch. We will take the same approach with a total of 7 types of threat hunting: Recognizing suspicious software Scripting abuse AV follow-up Lateral movement Persistence DNS abuse Bait-the-bad-guy LogRhythm is sponsoring this real training for free event and Nathan Quist (aka “Q”) is helping me on this event. Q is LogRythm’s Threat Research Engineer and works with LogRhythm’s internal SOC team and its clients to perform deep dives into their environments to uncover threats facing our industry.